psalm/docs/running_psalm/issues/TaintedInclude.md

# TaintedInclude

Emitted when user-controlled input can be passed into to an `include` or `require` expression.

Passing untrusted user input to `include` calls is dangerous, as it can allow an attacker to execute arbitrary scripts on your server.

```php
<?php

$name = $_GET["name"];

includeCode($name);

function includeCode(string $name) : void {
    include($name . '.php');
}
```
Break out TaintedInput issues into a lot of separate ones 2020-11-17 18:44:31 +01:00			`# TaintedInclude`

Improve documentation for taints a little Ref #4590 2020-11-17 22:03:50 +01:00			Emitted when user-controlled input can be passed into to an `include` or `require` expression.
Break out TaintedInput issues into a lot of separate ones 2020-11-17 18:44:31 +01:00
			Passing untrusted user input to `include` calls is dangerous, as it can allow an attacker to execute arbitrary scripts on your server.

			```php
			`<?php`

			`$name = $_GET["name"];`

			`includeCode($name);`

			`function includeCode(string $name) : void {`
			`include($name . '.php');`
			`}`
			```